On Mon, Jan 20, 2003 at 03:57:29PM +1100, Ng, Edward B wrote: > Hi Folks, > > I run an FTP server on a public Linux box which is visible on the internet. > For the last few months, I have had "visitors" who basically attempt to open > multiple connections to the FTP server, and repeatedly try to login as > anonymous. I have ignored this till now, but lately the FTP server has been > shutting itself down because of too many simultaneous connections happening > at the same time by these anonymous attempts. I was wondering is there an > application out there which can do a temporary block on the IP of someone > who has tried to login to FTP too many times and failed? I am currently > running an iptables firewall, but I do not want IPs to be permanently > blocked, just say blocked for 24 hours and then allowed again. > > Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' > Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' > Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' > Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. > Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. > > regards > > > Edward Ng > > EDS Australia Pty. Ltd. > email : [EMAIL PROTECTED] > > >
I imagine you could configure Portsentry to do this for you with some crafty configuring. I would look into that and/or possibly using a log rule for iptables combined with a script to look for these people hammering on the server and set a drop rule based on them. Another good move might be to start your ftpd on a different port if possible so as to seperate the legitimate users from these spammers. -- Eric Nelson <[EMAIL PROTECTED]> GPG-key: C4AB5707 http://www.megahosted.com/~en/
